Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Rule Placement Analysis

Security policy rules can lose their effectiveness over time due to disorganization, leading to inefficiencies. This often happens because users aren't promptly informed when new rules are added, which can negatively impact existing rules within the rule base. Juniper Security Director Cloud tackles this issue by analyzing where rules are placed and offering suggestions for proper rule placement to prevent anomalies in the security policy rules.

Note:

Rule placement analysis is available only for new rules in a security policy.

You can enable rule placement analysis when you create a security policy or edit an existing security policy. Rule placement analysis identifies the security policy rules that contain the following issues:

  • Shadowing—Occurs when a rule higher in the order of the rule base matches with all the packets of a rule lower in the order of the rule base.

  • Redundancy—Occurs when two or more rules perform the same action on the same packets along with the same settings or configurations.

Rule Placement Analysis Behavior shows the rule placement analysis behavior for different types of security policy rules. This table uses two rules - one existing rule and one new rule - to explain how rule placement works.

Table 1: Rule Placement Analysis Behavior
Condition Rule 1 (Existing ) Rule 2 (New) Suggested Rule Placement

Exact match

If a new rule has identical values with existing rules for the Source, Destination, Application/Services, and Action fields, the new rule must be placed after an existing rule.

  • Source: Any

  • Destination: Any

  • Application: App1

  • Action: Permit

  • Source: Any

  • Destination: Any

  • Application: App1

  • Action: Permit

Place Rule 2 after Rule 1.

Exact match with a different action

If a new rule is identical with existing rules for the Sources, Destination, and Application/Services fields with a different Action, the new rule must be placed before the existing rule.

  • Source: Any

  • Destination: Any

  • Application: App1

  • Action: Permit

  • Source: Any

  • Destination: Any

  • Application: App1

  • Action: Deny

Place Rule 2 before Rule 1.

New Rule is a subset of existing rule

If a new rule is a subset (more specific) of an existing rule, the new rule must be placed before an existing rule.

  • Source: Group-A (A1, A2, A3, A4)

  • Destination: Any

  • Service: S1

  • Action: Deny

  • Source: A1

  • Destination: Any

  • Service: S1

  • Action: Deny

Place Rule 2 before Rule 1.

New rule is a super set of an existing rule

If a new rule is a super set (more general) of an existing rule, the new rule must be placed after the existing rule.

  • Source: A1

  • Destination: Any

  • Service: S1

  • Action: Deny

  • Source: Group-A (A1, A2, A3, A4)

  • Destination: Any

  • Service: S1

  • Action: Deny

Place Rule 2 after Rule 1.

Partial match

If a new rule partially matches an existing rule, the new rule must be placed above an existing rule.

  • Source: Any

  • Destination: Any

  • Service: Group-S (S1, S2, S3)

  • Application: App1

  • Action: Permit

  • Source: Any

  • Destination: Any

  • Service: S1

  • Application: Group-A (App1, App2)

  • Action: Permit

Place Rule 2 before Rule 1.

No match or no overlap

If a new rule has no overlap with existing rules, the new rule must be placed on the top of the existing rules.

  • Source: 172.16.1.0/8

  • Destination: Any

  • Service: S1

  • Application: App1

  • Action: Deny

  • Source: Any

  • Destination: 10.0.0.1/8

  • Service: S2

  • Application: App2

  • Action: Permit

Place Rule 2 before Rule 1.

Related Documentation